LSA Secrets

Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts. LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. LSA secrets can also be dumped from memory.

Reg can be used to extract from the Registry. Mimikatz ca be used to extract secrets from memory.

Example

A demo utilizing mimikatz for LSA Secrets.

Above we see just as the previous Demos we can achieve this by using mimikatz and the SAM and SYSTEM hive files as done previously we need to elevate our privileges to SYSTEM.

Reference:

https://github.com/gentilkiwi/mimikatz

PreviousCached Domain Credentials NextNTDS

Last updated 3 years ago